Factors.ai | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Factors.ai discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

27 detections across 18 sites26% pre-consent activity

HIGH

Pre-Consent Activity

Factors.ai was observed loading and executing before user consent was obtained on 26% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN

They Claim

“Requires claims extraction via CDT”

Observed Behavior

Live website analysis pending

Customer Impact

What This Means For You

Marketing teams gain account visibility but organization surrenders visitor behavioral data to third-party identity infrastructure. Every anonymous visitor session feeds Factors' matching algorithms and downstream data partners. Tag manager deployment enables capability expansion without security review, creating compliance blind spots as tracking evolves.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Factors.ai

→Audit tag manager deployment for dynamic script loading and third-party calls
→Review DPA for clarity on identity graph providers and data sharing arrangements
→Implement consent gate to prevent identification of EU/UK visitors without explicit opt-in

If You're Evaluating Factors.ai

→Server-side identification to reduce client-side fingerprinting footprint
→First-party identity resolution using owned data sources only
→Alternative ABM platforms with transparent matching methodologies

Negotiation Leverage

→Demand exhaustive list of identity data providers and explicit controls over downstream data sharing
→Request contractual prohibition on using your visitor data to enrich Factors' identity graph for other customers
→Negotiate tag manager deployment restrictions requiring approval for new tracking capabilities or third-party integrations

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Fingerprints visitors through interaction patterns, device characteristics, and engagement signals to enable cross-session identification

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Synchronizes visitor identity across domains and sessions through third-party identity graph integrations

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Injects via GTM to bypass security review and dynamically load additional tracking capabilities without deployment visibility

IOC Manifest

15 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*app.factors.ai/assets/factors.js*

Tracking script

TRACK

app.factors.ai/assets/factors.js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Emerging ABM attribution vendor competing in crowded visitor intelligence market against 6sense, Demandbase, and Clearbit. Part of de-anonymization category racing toward comprehensive visitor unmasking.

Loads (1)

Termly

Loaded By (5)

Adara Fingerprintjs Logrocket Verisoul Zipy

Commonly Deployed With

Googletagmanager Googleanalytics4 Metapixel Linkedinads Doubleclick Clarity Segment Clay Eppo Zoominfo

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

15 detection signatures across scripts, domains, cookies, and network endpoints